Disclosing cybersecurity risks

In the wake of the Equifax breach, which exposed personal information of roughly 145.5 million people, the Securities and Exchange Commission (SEC) has announced plans to update its interpretive guidance for disclosing cybersecurity issues. The SEC wants to remind public companies of their responsibility to keep investors informed when data is breached or severe hacks are attempted.

Need for change

At a recent American Bar Association meeting, David Fredrickson, chief counsel of the SEC’s Division of Corporation Finance, said that the SEC doesn’t expect to overhaul its Disclosure Guidance: Topic No. 2, Cybersecurity. But he said that the SEC needs to “refresh” it. Specifically, it plans to consider whether important information about cybersecurity should be disclosed to stakeholders within the context of the existing rules. For example, companies may need to beef up their management’s discussion and analysis (MD&A) and footnote disclosures to reflect potential cyberrisks and material financial implications of data breaches.

The current guidance on cybersecurity, which was published in 2011, doesn’t include a specific requirement for companies to disclose computer system intrusions. The SEC’s effort to update the guidance comes amid concerns that more public companies have been experiencing attacks to their computer systems, but their disclosures haven’t been timely or informative enough.

Investors in the past few years have been especially vocal about pushing companies to provide more information about cybersecurity. And SEC Chairman Jay Clayton has told lawmakers during congressional hearings that he believes companies can do a better job of disclosing the risks they face and the hacks into their computers.

Substance over form

Regulators in the SEC haven’t decided whether the update will be issued in the form of staff-level guidance or a regulatory release approved by the SEC’s commissioners. But Fredrickson has identified two new areas the SEC needs to address in the update:

Financial reporting controls and procedures that identify and disclose cybersecurity threats in a timely manner, and

Many public companies welcome additional guidance from the SEC. Currently, executives often find it difficult to determine the appropriate time to disclose a hack into their systems.

On the one hand, public companies feel a responsibility to share relevant information openly and honestly with stakeholders. On the other, they don’t want to prematurely disclose information about a breach before they know the extent of the damage or to release inaccurate information that later needs to be revised. Company executives may also be working with law enforcement, in which case they don’t want to disclose information that could compromise the investigation.

Lead by example

Public companies aren’t the only entities that struggle with determining the appropriate cyber-disclosures; the SEC has also faced criticism over how quickly it disclosed a breach of its own systems. Last September, the SEC reported a 2016 hack of its Electronic Data Gathering, Analysis and Retrieval (EDGAR) filing system.

Senator Sherrod Brown (D-OH), a ranking member of the Senate Banking Committee, told regulators during a September hearing that the SEC “must abide by the same, or even a higher standard” than that applied to companies.

“So when we learn a year after the fact that the SEC had its own breach and that it likely led to illegal stock trades, it raises questions about why the SEC seems to have swept this under the rug,” Brown said. “What else are we not being told, what other information is at risk, and what are the consequences?”

Plan your breach protocol

Does your company have policies and procedures in place in case its systems are hacked? When a business is struck by a data breach, it’s not the time for do-it-yourself disclosures. Many legal and financial issues are at stake, so it’s important to premeditate a team of professional advisors — including legal, insurance and financial experts — to handle breach response, measure the impact and mitigate potential losses.